Lessons learned from building software at scale

This post by Paul Adams on the Intercon blog describes some of the lessons he and his development team have learned from building software and scaling it up as the company grows. I asked a few of my contacts at startup software firms what they thought of the post and there was mostly general agreement with what he posted.

Here are some of Adams’ main points to ponder.

Everyone has a different process, and the process itself changes as the company matures and grows. But his description is for their current team size of four product managers, four software designers, and 25 engineers. Like he says: “it’s not how we worked when we had a much smaller team, and it may not work when we have doubled our team.”

Create a culture where you can make small and incremental steps with lots of checkpoints, goals, and evaluations. “We always optimize for shipping the fastest, smallest, simplest thing that will get us closer to our objective and help us learn what works.” They have a weekly Friday afternoon beer-fueled demo to show how far they have gotten in their development for the week. Anyone can attend and provide comments.

Facetime is important. While a lot of folks can work remotely, they find productivity and collaboration increases when everyone is in the same room in a “pod.” Having run many remote teams, certainly local pods can be better but if you have the right managers, you can pull off remote teams too. It appears IBM is moving in this “local is better” mode lately.

Have small teams and make them strictly accountable. Adams has a series of accountability rules for when something goes wrong. Create these rules and teams and stick by them. “We never take a step without knowing the success measurement,” said one friend of mine, who agrees with much of what Adams says in his post. My friend also mentions when using small teams, “not all resources have a one-to-one relationship in terms of productivity; we find that we that the resources we use for prototyping new features can generally float between teams.”

Have a roadmap but keep things flexible and keep it transparent. “Everything in our roadmap is broken down by team objective, which is broken down into multiple projects, which in turn are broken down into individual releases,” said Adams. They use the Trello collaboration tool for this purpose, something that can either be a terrific asset or a major liability, depending on the buy-in from the rest of the team and how faithful they are to keeping it updated.

However, caution is advised: “The comprehensive approach that Adams describes would be entirely too much overhead for most startups,” says my friend. This might mean that you evaluate what it will take to produce the kind of detail that you really need. And this brings up one final point:

Don’t have too many tools, though. “Using software to build software is often slower than using whiteboards and Post-it notes. We use the minimum number of software tools to get the job done. When managing a product includes all of Google Docs, Trello, Github, Basecamp, Asana, Slack, Dropbox, and Confluence, then something is very wrong.”

Email encryption has become almost frictionless

As you loyal readers know (I guess that should just be “readers” since that implies some of you are disloyal), I have been using and writing about email encryption for two decades. It hasn’t been a bowl of cherries, to be sure. Back in 1998, when Marshall Rose and I wrote our landmark book “Internet Messaging,” we said that the state of secure Internet email standards and products is best described as a sucking chest wound.” Lately I have seen some glimmers of hope in this much-maligned product category.

Last week Network World posted my review of five products. Two of them I reviewed in 2015: HPE/Voltage Secure Email and Virtru Pro The other three are Inky (an end-to-end product), Zix Gateway, and Symantec Email Security.cloud. Zix was the overall winner. We’ll get to the results of these tests in a moment.

In the past, encryption was frankly a pain in the neck. Users hated it, either because they had to manage their own encryption key stores or had to go through additional steps to encrypt and decrypt their message traffic. As a consequence, few people used it in their email traffic, and most did under protest. One of the more notable “conscientious objectors” was none other than the inventory of PGP himself, Phil Zimmerman. In this infamous Motherboard story, the reporter tried to get him to exchange encrypted messages. Zimmerman sheepishly revealed that he was no longer using his own protocols, due to difficulties in getting a Mac client operational.

To make matter worse, if a recipient wasn’t using the same encryption provider as you were using, sending a message was a very painful process. If you had to use more than one system, it was even more trouble. I think I can safely say that these days are soon coming to an end, where encryption is almost completely frictionless.

By that I mean that there are situations where you don’t have to do anything, other than click on your “send” button in your emailer and off the message goes. The encryption happens under the covers. This means that encryption can be used more often, and that means that companies can be more secure in their message traffic.

This comes just in time, as the number of hacks with emails is increasing. And it is happened not only with email traffic, but with texting/instant message chats as well. Last week Checkpoint announced a way to intercept supposedly encrypted traffic from What’s App, and another popular chat service Confide was also shown to be subject to impersonation attacks.

So will that be enough to convince users to start using encryption for normal everyday emailing? I hope so. As the number of attacks and malware infections increase, enterprises need all the protection that they can muster and encrypting emails is a great place to start.

What I liked about Zix and some of the other products that I tested this time around was that they took steps to hide the key management from the users. Zimmerman would find this acceptable, to be sure. Some other products have come close to doing this by using identity-based encryption, which makes it easier to on-board a new user into their system with a few simple mouse clicks.

I also found intriguing is how Zix and others have incorporated data loss prevention (DLP) and detection into their encryption products. What this means is that all of these systems detect when sensitive information is about to be transmitted via email, and take steps to encrypt or otherwise protect the message in transit and how it will ultimately be consumed on the receiving end.

DLP has gone from something “nice to have” to more essential as part of business compliance and data leak hacks, both of which have increased its importance. Having this integration can be a big selling point of making the move to an encrypted email vendor, and we are glad to see this feature getting easier to use and to manage in these products.

Finally, the products have gotten better at what I call multi-modal email contexts. Users today are frequently switching from their Outlook desktop client to their smartphone email app to a webmailer for keeping track of their email stream. Having a product that can handle these different modalities is critical if it is going to make a claim towards being frictionless.

So why did Zix win? It was easy to install and manage, well-documented and had plenty of solid encryption features (see the screenshot here). It’s only downside was no mobile client for composing encrypted messages, but it got partial credit for having a very responsive designed webmailer that worked well on a phone’s small screen. Zix also includes its DLP features as part of its basic pricing structure, another plus.

We have come a long way on the encrypted email road. It is nice to finally have something nice to say about these products after all these years.

The rise of blockchain-as-a-service

With the announcement last week of the Enterprise Ethereum Alliance, it is timely to look at what is going on with blockchain technologies. The Alliance was formed to try to encourage a hybrid kind of blockchains with both public and private aspects. Its members include both cutting-edge startups along with established computer vendors such as Microsoft and major banks such as ING and Credit Suisse. As mentioned in this post by Tom Ding, a developer at String Labs, the Alliance could bring these disparate organizations together and find best-of-breed blockchain solutions that could benefit a variety of corporate development efforts.

When Bitcoin was invented, it was based on a very public blockchain database, one in which every transaction was open to anyone’s inspection. A public chain also allows anyone to create a new block, as long as they follow the protocol specs. But as blockchains matured, enterprises want something a bit more private, to have better control over the transactions for their own purposes and to control who is trusted to make new blocks.

This isn’t a mutually exclusive decision, and what is happening now is that many blockchain solutions use aspects from both public and private perspectives, as you can see from this infographic from Let’s Talk Payments.

You want the benefits of having multiple programmers hammering against an open source code base, with incentives for the blockchain community to improve the code and the overall network effects as more people enter this ecosystem. You also gain efficiencies as the number of developers scales up, and perhaps have future benefits where there is interoperability among the various different blockchain implementations. At least, that is theory espoused in a recent post on Medium here, where R Tyler Smith writes: “One thing that blockchains do extremely well is allow entities who do not trust one another to collaborate in a meaningful way.”

The Ethereum Alliance is just the latest milepost that blockchains are becoming more potentially useful for enterprise developers. Over the past year, several blockchain-as-a-service (BaaS) offerings have been introduced that make it easy to create your own blockchain with just a few clicks. Back in November 2015, Microsoft and ConsenSys built the first BaaS on top of Azure and now have several blockchain services available there. IBM followed in February 2016 with their own BaaS offering on BlueMix. IBM has a free starter plan that you can experiment with before you start spending serious money on their cloud implementations. Microsoft’s implementation is through its Azure Marketplace. There is no additional charge for blockchain services other than the cloud-based compute, network and storage resources used.

IBM’s BlueMix isn’t the only place the vendor has been active in this area: the company has been instrumental in supporting open source code regarding blockchain with large commitments to the Apache Hyperledger project. Not to be left out of things, the Amazon Web Services marketplace offers two blockchain-related service offerings. Finally, Deloitte has its own BaaS service offering as part of its Toronto-based blockchain consulting practice.
If you want to get started with BaaS, here is just one of numerous training videos that are available on the Microsoft virtual academy that covers the basics. There is also this informative white paper that goes into more details about how to deploy the Microsoft version of BaaS. IBM also has an informative video on some of the security issues you should consider here. (reg. req.)

Security Intelligence blog: Making the Move to an All-HTTPS Network

Many website operators have wrestled with the decision to move all their web infrastructure to support HTTPS protocols. The upside is obvious: better protection and a more secure pathway between browser and server. However, it isn’t all that easy to make the switch. In this piece that I wrote for IBM’s Security Intelligence blog, I bring up the case study of The Guardian’s website and what they did to make the transition. It took them more than a year and a lot of careful planning before they could fully support HTTPS.

HPE Insights: 8 lessons about IoT security learned from the Mirai botnet

Botnets are a major threat, and require a combination of methods to defend against massive traffic volumes. Experts recommend a combination of steps to guard against attacks. You’ve probably seen your fill of Mirai-inspired headlines, but keep reading my article on HPE’s latest website. You’ll learn something essential to maintaining your overall IT security posture. I provide an overall timeline of events since last fall, show how Mirai was first detected, and what things you should do to protect your enterprise infrastructure. 

HPE Insights: 9 ways to make IoT devices more secure

Devices must be more secure if IoT is to reach its full potential. The good news is that security policies and procedures can protect enterprise infrastructure, harden IoT configurations, and make the network smarter and more defensible. Here is where to start, in an article that I recently wrote for a new HPE IT site, where I provide what the bottom-line impact will be for enterprise IT folks and digest information from various sources, including the latest reports from the Broadband Internet Technical Advisory Group (BITAG) and the Cloud Security Alliance.

Security Intelligence blog: Protecting your staff when in co-working spaces

The number of innovative co-working spaces continues to rise around the world, and this doesn’t even include coffee shops, libraries and numerous other public places that offer free Wi-Fi. It’s important to consider the security implications of what these itinerant workers are doing. IT managers are challenged to keep their networks and data secure while encouraging remote workers to be productive, whether they’re dialing in from the local WeWork or reviewing emails at McDonald’s.

Here are some practical security considerations from my latest blog post for IBM’s SecurityIntelligence. 

Network World review: Microsoft Windows Defender comes up short

Microsoft’s latest version of its anti-malware tool, Windows Defender, is a frustrating product to evaluate. Once you examine the product in more detail, you will see why we cannot recommend it for enterprise use. And that is the frustration of this product: Microsoft is trying to do the right thing and offers a tempting feast, but ultimately offers an incomplete meal that is tough to digest. It is hard to track, hard to configure, hard to remove and hard to manage in a typical enterprise environment.

It might be all the antivirus that a home user needs, but when it comes to the business world, you are better off with something else.

You can read the full review in Network World here.

How women were one of the first computers

Back in the 1940s and 1950s, computers were people, not machines. And one group of these human computers worked at a NASA research lab in southern Virginia. An upcoming movie, Hidden Figures, focuses on how three of these human computers helped with John Glenn’s historic first US orbital flight in 1962. As you probably know, Glenn died earlier this week at the ripe old age of 95.

I haven’t yet seen the movie — it will be out in a few weeks. But the underlying story is terrific. The three human computers turn out to be three black women mathematicians, including Katherine Johnson (shown above) who recently received the Congressional Freedom Medal.

One of the interesting historical notes was Glenn insisted that Johnson check the electronic computer’s calculations of his orbit, to make sure they were accurate. This was back when computers filled rooms and were slower than the CPUs that are found in the average smartphone nowadays.

Johnson continued to work at NASA until 1986 combining her math talent with electronic computer skills. Her calculations proved critical to the success of the Apollo Moon landing program and the start of the Space Shuttle program, according to this NASA writeup.

There are a lot more video interviews with both the actresses Octavia Spencer, Taraji Henson (who plays Johnson) and Janelle Monae (shown above) and the real people behind the story here at NextGov.

In addition to the movie, there is a book by Margot Lee Shetterly that just was published.Why did it take so long for this story to come out? Shetterly apparently learned about the achievements of these women computers from her father, who “casually mentioned it to her in an offhand comment,” according to Rudy Horne, a math professor at Morehouse College and a consultant to the movie production. Horne got involved because his college was used as a film location (the college campus is used to simulate the NASA Langley campus in southern Virginia where the story takes place), and the director wanted a real math professor to check his calculations. One of the wonderful coincidences is that the current NASA administrator and Horne himself are both African Americans.

Horne was brought on early in the production, before the script was finalized, to ensure that the math checked out. I called him and asked about his role. “In the beginning of the film, the young Johnson is shown solving a series of equations on a blackboard. They originally showed her solving a functional analysis problem, which is more of a college level math course. I suggested a set of quadratic equations, which would be more appropriate for a younger student.” Horne made several other suggestions for the sets and props to show other math formulas. When I asked him what his favorite math-themed movie was, he said, “Good Will Hunting got the math right and had very believable scenes that showed how math professors interact. I am glad that was a consultant to this movie, and it is great if it will inspire other students to study math and science.” As an undergrad math major, me too.

Regaining Trust: What to do AFTER a Security Breach

In the past few years, it seems that large-scale data breaches have been occurring with depressing regularly. While it’s incredibly important to establish trustworthiness in any product, re-establishing trust after it has been violated is much harder to do. There is far less room for error when dealing with a customer base that already has reason for concern about an organization’s digital security.

untitledWhen breaches do occur, the best plan to regain trust is use webpages with plain language that contain plenty of specifics and constructive suggestions for issue resolution. In this article for UXPA Magazine, a professional journal for the user experience community, Danielle Cooley and I use the example of four recent breaches (Cici’s Pizza, Home Depot, Wendy’s Restaurants, and Omni Hotels) to see how each firm tried to regain its customers’ trust.